Re: Using crypto to solve a part of the DNS/TM mess

John R Levine (johnl@iecc.com)
Tue, 2 Mar 1999 13:46:40 -0500 (EST)

• Next message: Ben Laurie: "Re: Using crypto to solve a part of the DNS/TM mess"
• Previous message: William H. Geiger III: "Re: Using crypto to solve a part of the DNS/TM mess"
• In reply to: Adam Back: "Re: Using crypto to solve a part of the DNS/TM mess"
• Next in thread: Ben Laurie: "Re: Using crypto to solve a part of the DNS/TM mess"

> I was told recently that if you have access to domain name servers you can
> in practice create temporary domains using unclaimed domain names -
> there's no particular punishment process for doing so, sites of that kind
> are just removed eventually.

That's not true. DNS is a hierarchy, with a well known set of root servers,
all with the same data (give or take update creep), that delegate sections of
the name space to other servers. For the domain www.trumansburg.ny.us, for
example, the roots delegate .us to a set of six servers including NS.ISI.EDU,
which in turn delegate trumansburg.ny.us to a couple of servers here which in
turn define www.trumansburg.ny.us.

You can create domains that are visible to people who use the servers you
control, but unless the authority for those domains is delegated
(recursively) from the roots, they won't be visible to anyone other than
people who use your servers for local domain service.

There's a bug in widely used versions of BIND, the most popular DNS server,
that makes it possible to pollute cached data in other people's servers that
have asked your server to resolve unrelated domains. It's a well known bug;
Gene Kashpureff got himself into serious legal hot water when he used it to
hijack internic.net for a few days last year. Current versions of BIND don't
have that problem, and there's quite a lot of IETF work on incremental DNS
update with suitable crypto to keep bad guys out.

> Does anybody know if/how it's possible to get domain names in the now
> defunct .su ? Do you have to be grandfathered in? Is there a chance that
> just unilaterally grabbing one might work?

Visit http://www.ripn.net with someone who can read Russian. As far as I
can make out, new registrations are accepted in .RU, but not .SU.

Different registrars have widely varying policies and widely varying degrees
of formality. I got the Armenian registry to delegate no.sp.am ot me because
I run abuse.net and I used to live in Yerevan's sister city of Cambridge,
Mass., where we exchanged touring high school glee clubs.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47

• Next message: Ben Laurie: "Re: Using crypto to solve a part of the DNS/TM mess"
• Previous message: William H. Geiger III: "Re: Using crypto to solve a part of the DNS/TM mess"
• In reply to: Adam Back: "Re: Using crypto to solve a part of the DNS/TM mess"
• Next in thread: Ben Laurie: "Re: Using crypto to solve a part of the DNS/TM mess"